Showing results for 
Search instead for 
Did you mean: 

Community Helping Community


ASA WebVPN. How do you restrict access to users in an AD group using LDAP?

Hi All,

I am trying to configure separate WebVPN connection profiles to give different portal bookmark contents to users based on their AD group membership.  This has been very difficult, even though I beleive it should be easy.

The login page of teh ASA by default has a dropdown to allow default users to access the default portal and the SSL VPN client connection.

There are two other portals that I would like to restrict access to based on AD group membership.  I have set these up to be selected by URL.

The biggest problem is, I have no way of knowing how to go about this.  The AAA LDAP options show a group membership search, which I have configured, but I cannot say "Profile X is restricted to AD group CarpetBaggers", so that if soneone that is NOT a carpetbagger tries to log in, it fails.

I can only do an all or nothing scenario.

It would be nice to use Dynamic Access Policies to do this, and I have created a few, but they do NOT seem to work when the drop down aliases or URLs are in use.  So how do I go about using them in this scenario?  Turning off the aliases or URLs is not really an option right now.

Scenario 1 would work the best for me.  Restrict access to profiles/groups based on AD group membership using LDAP.

Scenario 2 would be an ideal longer term solution.

Any thoughts, ideas or assitance would be greatly appreciated.


Everyone's tags (6)
Cisco Employee

Re: ASA WebVPN. How do you restrict access to users in an AD gr

PLease checkout the DAP deployment guide

So each VPN session will come in on a specific Connection Profile (aka Tunnel Group - TG ) , with each TG having a default group-policy, GP. The GP contains the authorization attributes to apply to the session. DAP is a specialized Group Policy, but currently cannot set all attributes that the legacy GP does. DAP allows aggregation of authorization attributes , which the GP doesn't.

So for your case:

1) Connection ProfileX , Group-Policy X, 1 or more DAP(s) that check for ldap attribute.memberOf=CarpetBaggers

Set the Action=Continue

Note: LDAP attributes are case sensitive, so make sure memberOf    has capital O.

2) Set the DfltAccessPolicy DAP for Action=Terminate

3) Set you Connection Profile for LDAp authentication

4) on you console you can see the DAp processing by "debug dap trace".




Re: ASA WebVPN. How do you restrict access to users in an AD gr

This is exactly what i was looking for, and Nelson is correct.  When you enter the DAP configuration for a profile click on "Advanced" and there is the option to create a logical expression.  The guide (ther is a button to access this) is really helpful, with a couple of examples.  This is what i used:

   if ( (type(aaa.ldap.distinguishedName) == "string") and
        (string.find(aaa.ldap.distinguishedName, "OU=Users") ~= nil) )
       return true
   return false

from the debug dap you can see what Users relates to;

DAP_TRACE: Username: MyUsername, aaa.ldap.distinguishedName = CN=Mr B,OU=Users,OU=Site ******,DC=CH,DC=Mycompany,DC=com

My admin account fails to get me in to the same profile:

DAP_TRACE: dap_add_to_lua_tree:aaa["ldap"]["distinguishedName"]="CN=Admin Mr B,OU=Admin Users,OU=Site *****,DC=CH,DC=Mycompany,DC=com"




ASA WebVPN. How do you restrict access to users in an AD group

Hi all,

i will get back to that post since there is something else that i would like to ask.

I have configured DAP policies and also user access lists(with the AD client installed).

But, what if you want the below scenario:

Apply policies between source AND destinations AD Groups.

Let the following 3 groups exist in the AD: sales, presales, accounting,

i want webvpn users to have the following policies:

sales<-> sales : allow

presales<->presales: allow

sales<->presales: allow

sales<->accounting deny

presales<->accounting deny

accounting<->accounting allow

Keep in mind that i don't want to keep and maintain different client pools for each group.

I want to be dynamic.

it would be great if i could use user based ACLs with source and destination users or/and groups.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here